New data reg: 4 things all cloud providers need to know

EU FlagUPDATE 2/7/15: Go visit the updated article.

The new EU General Data Protection Regulation is on its way. The EU Parliament approved the text in March. The new EU Commission president has recently given a time scale of 6 months to conclude negotiations with member states. Some reckon it won’t be in force until 2017. Others say it could be as early as next year.

Cloud providers – are you ready?

1. Cloud providers will be caught directly

New obligations will extend to cloud providers as “data processors”. While the primary obligations will still fall on the customer as “data controller”, cloud providers will have to maintain certain documents and cooperate with the supervisory authority.

2. Mandatory breach notification

If you leak or lose customer data, the customer will not be able to keep silent and will have to notify the supervisory authority. Customers will be keen to ensure they don’t have to notify by ensuring the provider keeps the data secure in the first place. But if there is a problem, expect them to name and shame you. Of course, some providers must notify under existing regs.

3. Massive fines

Fines for the most serious breaches could be up to 5% of global turnover. Data breaches could become very expensive all of a sudden. Customers are likely to seek reassurances from providers and may look to get them to carry this loss if they are the cause. Expect contract wrangling on this point.

4. Data Protection officer

The customer will have to appoint someone as their data protection officer and inform its users of who that is. In turn they may ask the provider to nominate someone to answer data protection queries. This need not be a new role but providers should be prepared to give someone the responsibility.


There’s more. Such as the need to register with only one body across the whole EU rather than, potentially, all of them. There’s also the real “right to be forgotten” that will be enshrined in law, not just the halfway house one under the Google case. Again, these will primarily fall on cloud customers who store data with you. Customers may also scrutinise more closely whether the provider is truly data protection compliant and not just using Safe Harbor as a pretty but useless badge.

I suggest you get ready for the changes now while there’s still time.


  1. […] The new EU Data Protection Regulation is nearing completion in advance of the meeting of the justice ministers on June 15 & 16 with a new consolidated text and a suggestion that it might be passed in December 2015. However, there are reports over haggling between EU member states over some of the provisions so there may be some last minute changes. Here are 4 ways it will affect cloud providers. […]


What's your view? Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.